Data Processing Addendum
Between
Customer Pursuant to the Subscription Services Agreement as data controller (herein referred to as the "Principal" or “Data Controller”)
and
Granular Insights, Inc. which shall unless repugnant to the context or meaning thereof be deemed to mean and include its subsidiaries as data processor (herein referred to as the “Contractor” or “Data Processor”, and together with the Principal, the “Parties”)
Preamble
Further to a Subscription Services Agreement entered into between the Parties (the “SSA”), the Principal seeks to instruct the Contractor to undertake the processing of personal data as elaborated below and in the SSA.
1. Definitions of terms
1. "GDPR" means Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2. Pursuant to Art. 4(7) of the GDPR, a data “controller” is the body that alone or jointly with others determines the purposes and means of processing personal data.
3. According to Art. 4(8) of the GDPR, a “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of a data controller.
4. According to Art. 4(1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. “Sensitive personal data” are personal data pursuant to Art. 9 of the GDPR, which reveal the racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership of the data subject, and the processing of genetic (Art. 4(13) of the GDPR) and biometric data for the unique identification of a natural person (Art. 4(14) of the GDPR), health data (Art. 4(15) of the GDPR) or data on sex life or sexual orientation as well as personal data pursuant to Art. 10 of the GDPR on criminal convictions and criminal offences or related security measures.
6. According to Art. 4(2) of the GDPR, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
7. According to Art. 4(21) of the GDPR, the “supervisory authority” is an independent state body established by a Member State according to Art. 51 GDPR.
8. Terms not defined herein but having specified definitions under the GDPR shall be construed as having the same meaning herein.
9. Subsidiary means in respect of any company, person or entity, any company, person or entity directly or indirectly controlled by such company, person or entity (including any Subsidiary acquired after the date of this Agreement) and “Subsidiaries” shall mean all or any of them, as appropriate. Please see Appendix 3b for a complete list of subsidiaries and affiliates.
2. Subject matter of this Agreement
1. This agreement (the “Agreement”) concerns the processing of personal data by the Contractor on behalf of the Principal, towards the Contractor’s provision of Services to the Principal in accordance with the SSA. Art. 28 of the GDPR places certain requirements on the processing of personal data by a processor on behalf of a controller. In order to comply with these requirements, the Parties have agreed to conclude this Agreement.
2. The provisions of this Agreement shall apply to all activities related to the SSA by which the Contractor and its employees or agents come into contact with personal data originating from or collected for the Principal.
3. In case of any conflict or discrepancy, the provisions of this Agreement shall take precedence over the provisions of the SSA.
4. The Contractor may process the Principal’s personal data only in accordance with this Agreement, and for the purpose of providing the Services as detailed in the SSA and the Appendices to this Agreement.
5. This Agreement shall be co-terminous with the SSA, subject to the termination rights set out hereunder.
6. The performance of the data protection requirements set out herein shall not be remunerated separately, unless this has been expressly agreed.
3. Roles of the Parties
1. The Contractor shall, in the course of providing the Services, process personal data originating from the Principal as follows:
As a processor (Art. 4(8) of the GDPR), when it receives access to personal data and processes these exclusively on behalf of and in accordance with the instructions of, the Principal. The scope and purpose of such data processing by the Contractor results from the SSA (and the corresponding service description). It is the responsibility of the Principal to determine whether data processing as instructed in the SSA read herewith, is permissible.
As a controller, where it processes certain customer account data or other specified kinds of personal data for the purposes of providing the Clarisights platform to the Principal. The Contractor will remain an independent controller in respect of such processing, and not be a joint controller with the Principal.
4. Principal’s Rights of instruction
1. The Contractor may only collect, process or use data within the framework of the SSA and in accordance with the instructions of the Principal; this applies in particular with regard to the transfer of personal data to a third country or an international organisation.
2. Where the law of the country or the States to which the Contractor is subject obliges the Contractor to undertake further processing, the Contractor shall inform the Principal of these legal requirements before undertaking such processing.
3. The instructions of the Principal are initially determined by this contract and can then be changed, supplemented or replaced by the Principal in writing or in text form by individual instructions (“instructions”). The Principal is entitled to issue appropriate instructions at any time. This includes, among other things, instructions regarding the correction, deletion, exclusion and restriction of data.
4. All instructions given must be documented by both the Principal and the Contractor. Instructions that go beyond the service agreed in the SSA are treated as a request for a change in service.
5. If the Contractor is of the opinion that an instruction of the Principal violates data protection regulations, he must inform the Principal immediately. The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Principal. The Contractor must reject the execution of an obviously unlawful instruction.
5. Types of personal data processed, groups of data subjects
1. During the execution of the SSA, the Contractor shall have access to the personal data specified in Appendix 1, as well as, if applicable, sensitive personal data marked as such.
2. The group of data subjects affected by the data processing is set out in Appendix 1.
6. Security measures of the Contractor
1. The Contractor shall maintain appropriate technical and organizational measures against the accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure of the Principal’s data.
2. The Contractor is obliged to comply with the security measures set out in Art. 32 of the GDPR. The Contractor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3. The Contractor may modify the actual measures taken or the parameters on which they are based, as long as the Contractor has satisfied its obligations to provide appropriate technical and organizational measures in its processing of the Principal’s data.
4. The persons employed in data processing by the Contractor are prohibited from collecting, processing or using personal data which is processed under the SSA, without authorisation. The Contractor shall oblige all persons entrusted by the Contractor with the processing and performance of this contract (hereinafter referred to as “employees”) to confidentiality in accordance with Art. 28(3)(b) of the GDPR and shall ensure compliance with this obligation with due care. These obligations shall be such that they continue to apply even after termination of this Agreement or the employment relationship between the Contractor and any of its employees. Upon request, the Contractor shall demonstrate its compliance with such obligations to the Principal in an appropriate manner.
7. Information duties of the Contractor
1. In the event of a personal data breach or other irregularities in the processing of personal data by the Contractor, persons employed by him or by third parties, the Contractor shall immediately inform the Principal in writing or in text form of such incident or irregularity.
2. The report of a breach of personal data shall contain at least the following information:
a description of the nature of the breach, indicating where possible the categories and approximate number of data subjects, the categories and approximate number of data subject records, and the number of personal data sets;
a description of the measures taken or proposed by the Contractor to remedy the injury and, where appropriate, measures to mitigate its potential adverse impacts.
3. The Contractor shall immediately take the necessary measures to secure the data and to reduce possible adverse impacts on the data subjects; notify the Principal thereof and request further instructions.
4. In the event that the Principal's data are jeopardised by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Principal without delay, unless this is prohibited by court or official order. In this context, the Contractor shall immediately inform all responsible authorities that the decision on the data lies exclusively with the Principal as "Data Controller" within the meaning of the GDPR.
5. The Contractor shall inform the Principal without delay of any material changes to the security measures pursuant to Section 6.3.
6. The Contractor and, where applicable, its representative(s), shall keep a list of all categories of processing activities carried out on behalf of the Principal, containing all the information referred to in Art. 30(2) of the GDPR. The list shall be made available to the Principal on request.
7. The Contractor shall participate to an appropriate extent in the preparation of records of processing activities by the Principal pursuant to Art. 30(1) of the GDPR. The Contractor shall provide the required information to the Principal in an appropriate manner.
8. Contractor’s Duty to Cooperate
1. The Contractor shall provide reasonable assistance to the Principal with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which may reasonably be considered to be required by Arts. 35 or 36 of the GDPR. Such assistance shall in each case relate solely to the processing of personal data by the Contractor on behalf of the Principal and/or in relation to its provision of Services to the Principal.
9. Control rights of the Principal
1. The Principal shall verify the technical and organisational measures of the Contractor prior to the commencement of any data processing and thereafter at appropriate intervals,. The Principal shall carry out inspections only to the extent necessary and shall not disproportionately disturb the Contractor's operating procedures.
2. The Contractor is obliged to provide the Principal with all information at its disposal, to demonstrate compliance with its obligations under Art. 28 of the GDPR.
10. Use of sub-processors
1. The contractually agreed services or the partial services described below shall be performed with the involvement of the sub-processors named in Appendix 3. Within the framework of its contractual obligations, the Contractor is authorised to establish further sub-processing relationships with other sub-processors ("sub-processing relationship"). The Contractor shall inform the Principal immediately about the engagement of new sub-processors. The Principal may object to the engagement of new sub-processors providing legitimate reasons for such objection, within 30 days of being notified by the Contractor, after which the Principal shall be deemed to have approved such engagement.
2. The Contractor is obliged to carefully select sub-processors according to their suitability and reliability. When involving sub-processors, the Contractor must oblige them in accordance with the provisions of this Agreement and thereby ensure that the Principal can exercise its rights under this Agreement (in particular its inspection and control rights) directly with respect to the sub-processors. If sub-processors are to be involved in a third country, the Contractor must ensure that the respective sub-processor guarantees an appropriate level of data protection in accordance with Art. 44 of the GDPR (e.g. by concluding an agreement based on the EU standard data protection clauses). The Principal reserves the right to object to the inclusion or modification of the existing list of sub-processors in accordance with Art. 28(2) of the GDPR.
11. Requests and rights of data subjects
1. The Contractor shall support the Principal as far as commercially reasonable with suitable technical and organisational measures to fulfil its obligations under Articles 12-23 and 32 to 36 of the GDPR.
2. If a data subject asserts rights, such as the right to access data under Art. 15, rectification pursuant to Art. 16 or deletion pursuant to Art. 17 of the GDPR, directly against the Contractor, the Contractor shall not react independently but shall immediately refer the data subject to the Principal and await the Principal’s instructions.
12. Liability
1. The Parties’ respective liabilities shall be determined in accordance with applicable law and the factual circumstances. The parties shall in each case release themselves from liability if one party proves that it is not responsible in any way for the circumstance by which the damage occurred to a data subject.
2. Where a sub-processor fails to fulfil its data protection obligations, the Contractor shall remain fully liable to the Principal for the performance of such sub-processor’s obligations.
13. Extraordinary right of termination
1. The Principal may terminate this contract, and the SSA, in whole or in part without notice if the Contractor fails to fulfil its obligations under this Agreement, intentionally or with gross negligence violates provisions of the GDPR or cannot or does not want to carry out a legitimate instruction of the Principal. In the case of simple negligence - i.e. neither intentional nor gross negligence, the Principal shall provide the Contractor with a reasonable period within which the Contractor can remedy the infringement. Failure to remedy such infringement within that period shall provide the Principal with the unilateral right to terminate this Agreement and the SSA.
2. Termination under the provisions of this clause shall not affect any of the statutory rights of the Principal.
14. Termination of the SSA
1. Upon the termination of the SSA, for whatever reason, the Contractor shall return to the Principal all documents, data and data storage media made available to it or - at the request of the Principal, unless an obligation to store personal data exists under applicable law - delete them at any time after termination of the SSA, or at its request. This also applies to any data backups the Contractor may be in possession of.
2. The Principal has the right to check the complete and contractual return or deletion of the data at the Contractor in an appropriate manner.
3. The Contractor is obliged to treat all data made available to it in connection with the SSA with strict confidentiality even after the termination of the SSA. The present Agreement shall remain valid beyond the termination of the SSA as long as the Contractor has access to personal data provided to it by the Principal or which it has collected for the Principal.
15. Final clauses
1. The Parties agree that the objection of the right of retention by the Contractor with regard to the data to be processed and the associated data storage media is excluded.
2. Amendments and additions to this Agreement must be made in writing and signed by both Parties. This also applies to the waiver of this formal requirement.
3. Should individual provisions of this Agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
4. This Agreement is subject to the law that regulates the Principal in accordance with the registered seat of the Principal. The exclusive place of jurisdiction for any disputes is the jurisdiction of the Principal's registered seat.
Please see Appendices to the DPA here.
